We have described in another paper how to develop and use smart certificates by extending X.509 with several sophisticated features for secure attribute services on the Web. In this paper, we describe an implementation of RBAC (Role-Based Access Control) with role hierarchies on the Web as one possible application of smart certificates. To support RBAC, we issued smart certificates - which hold the subjects' role information - and configured a Web server to use the role information in the certificate instead of identities for its access control mechanism. Since the subjects' role information is provided integrity, the Web server can trust the role information after authentication and certificate verification by SSL, and uses it for role-based access control. To maintain compatibility with existing technologies, such as SSL, we used a bundled (containing the subject's identity and role information) smart certificate in the user-pull model.